Add HasExact to topology endpoint (#9010)

pull/8618/head
Freddy 2020-10-23 10:45:41 -06:00 committed by GitHub
parent 46071cbb03
commit 9c04cbc40f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 57 additions and 4 deletions

View File

@ -1622,6 +1622,8 @@ func TestInternal_ServiceTopology(t *testing.T) {
// web and web-proxy on node bar - upstream: redis
// web and web-proxy on node baz - upstream: redis
// redis and redis-proxy on node zip
// wildcard deny intention
// web -> redis exact intentino
registerTestTopologyEntries(t, codec, "")
var (
@ -1650,6 +1652,9 @@ func TestInternal_ServiceTopology(t *testing.T) {
Allowed: false,
HasPermissions: false,
ExternalSource: "nomad",
// From wildcard deny
HasExact: false,
},
}
require.Equal(r, expectUp, out.ServiceTopology.UpstreamDecisions)
@ -1675,6 +1680,9 @@ func TestInternal_ServiceTopology(t *testing.T) {
Allowed: false,
HasPermissions: false,
ExternalSource: "nomad",
// From wildcard deny
HasExact: false,
},
}
require.Equal(r, expectDown, out.ServiceTopology.DownstreamDecisions)
@ -1686,6 +1694,7 @@ func TestInternal_ServiceTopology(t *testing.T) {
redis.String(): {
Allowed: false,
HasPermissions: true,
HasExact: true,
},
}
require.Equal(r, expectUp, out.ServiceTopology.UpstreamDecisions)
@ -1712,6 +1721,7 @@ func TestInternal_ServiceTopology(t *testing.T) {
web.String(): {
Allowed: false,
HasPermissions: true,
HasExact: true,
},
}
require.Equal(r, expectDown, out.ServiceTopology.DownstreamDecisions)

View File

@ -500,6 +500,12 @@ func (s *Store) IntentionDecision(
}
resp.ExternalSource = ixnMatch.Meta[structs.MetaExternalSource]
// Intentions with wildcard namespaces but specific names are not allowed (*/web -> */api)
// So we don't check namespaces to see if there's an exact intention
if ixnMatch.SourceName != structs.WildcardSpecifier && ixnMatch.DestinationName != structs.WildcardSpecifier {
resp.HasExact = true
}
return resp, nil
}

View File

@ -1132,6 +1132,16 @@ func TestStore_IntentionDecision(t *testing.T) {
},
},
},
&structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "mysql",
Sources: []*structs.SourceIntention{
{
Name: "*",
Action: structs.IntentionActionAllow,
},
},
},
}
s := testConfigStateStore(t)
@ -1167,6 +1177,7 @@ func TestStore_IntentionDecision(t *testing.T) {
expect: structs.IntentionDecisionSummary{
Allowed: false,
HasPermissions: true,
HasExact: true,
},
},
{
@ -1176,6 +1187,7 @@ func TestStore_IntentionDecision(t *testing.T) {
expect: structs.IntentionDecisionSummary{
Allowed: false,
HasPermissions: false,
HasExact: true,
},
},
{
@ -1186,6 +1198,17 @@ func TestStore_IntentionDecision(t *testing.T) {
Allowed: true,
HasPermissions: false,
ExternalSource: "nomad",
HasExact: true,
},
},
{
name: "allowed by source wildcard not exact",
src: "anything",
dst: "mysql",
expect: structs.IntentionDecisionSummary{
Allowed: true,
HasPermissions: false,
HasExact: false,
},
},
}

View File

@ -645,11 +645,13 @@ type IntentionQueryCheckResponse struct {
// Currently contains:
// - Whether all actions are allowed
// - Whether the matching intention has L7 permissions attached
// - Whether the intention is managed by an external source like k8s,
// - Whether the intention is managed by an external source like k8s
// - Whether there is an exact, on-wildcard, intention referencing the two services
type IntentionDecisionSummary struct {
Allowed bool
HasPermissions bool
ExternalSource string
HasExact bool
}
// IntentionQueryExact holds the parameters for performing a lookup of an

View File

@ -316,8 +316,8 @@ RPC:
downstreams, _ := summarizeServices(out.ServiceTopology.Downstreams.ToServiceDump(), nil, "")
var (
upstreamResp []*ServiceTopologySummary
downstreamResp []*ServiceTopologySummary
upstreamResp = make([]*ServiceTopologySummary, 0)
downstreamResp = make([]*ServiceTopologySummary, 0)
)
// Sort and attach intention data for upstreams and downstreams

View File

@ -1369,9 +1369,11 @@ func TestUIServiceTopology(t *testing.T) {
Intention: structs.IntentionDecisionSummary{
Allowed: true,
HasPermissions: false,
HasExact: true,
},
},
},
Downstreams: []*ServiceTopologySummary{},
FilteredByACLs: false,
}
result := obj.(ServiceTopology)
@ -1410,6 +1412,7 @@ func TestUIServiceTopology(t *testing.T) {
Intention: structs.IntentionDecisionSummary{
Allowed: true,
HasPermissions: false,
HasExact: true,
},
},
},
@ -1429,6 +1432,9 @@ func TestUIServiceTopology(t *testing.T) {
Allowed: false,
HasPermissions: false,
ExternalSource: "nomad",
// From wildcard deny
HasExact: false,
},
},
},
@ -1474,6 +1480,7 @@ func TestUIServiceTopology(t *testing.T) {
Intention: structs.IntentionDecisionSummary{
Allowed: false,
HasPermissions: true,
HasExact: true,
},
},
},
@ -1491,6 +1498,9 @@ func TestUIServiceTopology(t *testing.T) {
Allowed: false,
HasPermissions: false,
ExternalSource: "nomad",
// From wildcard deny
HasExact: false,
},
},
},
@ -1522,6 +1532,7 @@ func TestUIServiceTopology(t *testing.T) {
expect := ServiceTopology{
Protocol: "http",
Upstreams: []*ServiceTopologySummary{},
Downstreams: []*ServiceTopologySummary{
{
ServiceSummary: ServiceSummary{
@ -1537,6 +1548,7 @@ func TestUIServiceTopology(t *testing.T) {
Intention: structs.IntentionDecisionSummary{
Allowed: false,
HasPermissions: true,
HasExact: true,
},
},
},